SOC 2 Compliance Templates
SOC 2 Type II evidence collection templates, policy documents, control matrices, and audit preparation guides.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 27 files
📖 Documentation Preview README excerpt
SOC 2 Compliance Templates
A complete, fill-in-ready toolkit for preparing for a SOC 2 Type II audit:
the Trust Services Criteria explained, a control matrix that maps controls to
evidence, ready-to-adopt policy documents, evidence-collection templates, an
auditor-readiness checklist, and a fully worked example of operating a control
end to end.
This is the kit I wish I'd had the first time. It is written for engineering-led
startups and scale-ups pursuing their first (or cleaner next) SOC 2 — **no
compliance-automation platform required**, though everything here works
alongside one.
Not legal advice. SOC 2 reports are issued by licensed CPA firms. These
templates help you prepare; your auditor and counsel make the final calls on
scope, controls, and the report.
Who this is for
- Founders/engineers told by a prospect "we need your SOC 2 before we can buy."
- Security or platform engineers tasked with standing up a compliance program.
- Anyone who wants to understand what SOC 2 actually requires before paying a
consultant to tell them.
What's inside
soc2-compliance-templates/
├── README.md # You are here
├── LICENSE
├── docs/
│ ├── soc2-overview.md # Type I vs II, the players, the timeline
│ ├── trust-services-criteria.md # All 5 TSC + the 9 Common Criteria, mapped
│ ├── control-implementation-guide.md # How to actually stand up each control
│ ├── evidence-collection-guide.md # What good evidence looks like; cadence
│ └── auditor-readiness-checklist.md # The pre-fieldwork readiness gate
├── policies/
│ ├── information-security-policy.md # POL-001 master policy
│ ├── access-control-policy.md # POL-002 (CC6)
│ ├── change-management-policy.md # POL-003 (CC8)
│ ├── incident-response-policy.md # POL-004 (CC7)
│ ├── vendor-management-policy.md # POL-005 (CC9.2)
│ ├── risk-assessment-policy.md # POL-006 (CC3, CC9.1)
│ └── business-continuity-policy.md # POL-007 (Availability)
├── templates/
│ ├── control-matrix.csv # Controls → criteria → owner → evidence
│ ├── evidence-request-list.csv # The auditor "PBC" list, pre-mapped
│ ├── evidence-collection-log.csv # Your evidence tracker
│ ├── risk-register.csv # Living risk register
│ └── vendor-inventory.csv # Third-party / subprocessor inventory
└── examples/
└── worked-example-quarterly-access-review.md # One control, operated end-to-end
How to use this toolkit
SOC 2 is a marathon, not a document dump. Work in this order:
... continues with setup instructions, usage examples, and more.
📄 Content Sample examples/worked-example-quarterly-access-review.md
Worked Example: A Quarterly User Access Review (Control CTL-AC-05)
This is a filled-in example of operating one control — the quarterly access
review (CTL-AC-05, mapping to CC6.3) — from trigger to evidence. It uses a
fictional company, Acme Corp (example.com), so you can see exactly what
"good" looks like before you do your own. Names and accounts are illustrative.
Use this as a model for your Q1/Q2/Q3/Q4 reviews. The finished artifact (this
document, signed and dated) is what you hand the auditor for PBC-009.
Review metadata
| Field | Value |
|---|---|
| Control | CTL-AC-05 — Quarterly user access review |
| System under review | Production PostgreSQL database (acme-prod-db) |
| Review period | Q1 2026 (Jan 1 – Mar 31) |
| Review date | 2026-04-03 |
| Reviewer | Dana Lee, Engineering Manager (system owner) |
| Independent of provisioning? | Yes — reviewer does not grant access |
| Source of truth | IdP group acme-prod-db-access export, 2026-04-02 |
| Outcome | 9 accounts reviewed; 7 retained, 2 revoked, 1 downgraded |
Step 1 — Pull the population
Exported the current membership of the access group from the identity provider on
2026-04-02. Every human and service account with access to acme-prod-db must
appear here. Export saved as access-review_prod-db_Q1_2026_population.csv.
Step 2 — Review each account
For each account the reviewer answered: (a) Is this person/service still here and
in a role that needs this access? (b) Is the privilege level correct
(least privilege)? (c) Is there a business justification on record?
| # | Account | Role | Access level | Still required? | Decision | Reason |
|---|---|---|---|---|---|---|
| 1 | dana.lee@example.com | Eng Manager | read-only | Yes | Retain | Owns service; needs read for debugging. |
| 2 | sam.ortiz@example.com | Backend Engineer | read-write | Yes | Retain | Active on this service. |
| 3 | priya.nair@example.com | Backend Engineer | read-write | Yes | Retain | Active on this service. |
| 4 | leo.martin@example.com | Backend Engineer | admin | No (level) | Downgrade | Has admin but only needs read-write; over-privileged. |
| 5 | jordan.kim@example.com | Data Analyst | read-only | Yes | Retain | Needs read for reporting; justified. |
| 6 | alex.rivera@example.com | Former Engineer | read-write | No | Revoke | Transferred to another team in Feb; access not needed. |
| 7 | morgan.diaz@example.com | Contractor | read-only | No | Revoke | Contract ended 2026-03-15; account should have been removed. |
| 8 | svc-backup@example.com | Service account | read-only | Yes | Retain | Used by nightly backup job; justified and vaulted. |
| 9 | svc-analytics@example.com | Service account | read-only | Yes | Retain | Used by analytics ETL; justified. |
... and much more in the full download.